MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9659456fb12526439a9aa77f861032516aad72e8080f37fa6c8e91cd65c9a546. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VectorStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9659456fb12526439a9aa77f861032516aad72e8080f37fa6c8e91cd65c9a546
SHA3-384 hash: a0189d9378cc0cad64ecd20ab8a82bffce22f96dc01ff72e27f60630bd3a1f737a4ff78fec32bda6d01373429d317e51
SHA1 hash: 2f91a571316167db4eefe314aa61f5ba697337f6
MD5 hash: b2650b0e9b9a00c8912e731352a89c12
humanhash: berlin-crazy-nebraska-washington
File name:3 Hire Invoice CP March 15 2023_pdf.exe
Download: download sample
Signature VectorStealer
Create hunting rule
File size:1'526'272 bytes
First seen:2023-03-16 21:35:24 UTC
Last seen:2023-03-20 07:25:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:+FtJTxPDVg+Vm0i7eLmyADb/lLKMdBmwW2B6YKZZ8ULG7EbUeCagkH:atFJDVvm0TLUnl2YdRKZZ8leDgkH
Threatray 16 similar samples on MalwareBazaar
TLSH T1E465228C662E6B86CD7C33FE805564A843756A149312E33D8EC926FB1EF2BC4C541E57
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon f8ec96b2b296ccf0 (8 x AgentTesla, 4 x SnakeKeylogger, 3 x Formbook)
Reporter James_inthe_box
Tags:exe VectorStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3 Hire Invoice CP March 15 2023_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-03-16 21:36:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6ba2809d-d8c0-4118-91aa-6c6a3eba270e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374902/
Detection(s):
Sanesecurity.Malware.29041.BadIN.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gorgon packed
Link:
https://www.filescan.io/uploads/64138bc3c65d1ebf04c0cd21/reports/6f50f788-7bb4-4472-a36d-83a3648051b7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9659456fb12526439a9aa77f861032516aad72e8080f37fa6c8e91cd65c9a546
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8265ac1-1a65-4fde-b0e5-85d7e73d1825
Result
Threat name:
Vector Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1195375
Signature
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Costura Assembly Loader
Yara detected Telegram RAT
Yara detected Vector Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9659456fb12526439a9aa77f861032516aad72e8080f37fa6c8e91cd65c9a546/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-15 04:40:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=szmuk35reutehgu2u57ymebskfvk24xibahtp6tmr2i42zojuvda._file
Verdict:
malicious
Similar samples:
1774cd8233be7c7a4e7b67112f0f45b9cc3de029ae8bd54fc07e4ef814406bd0
VectorStealer
483da9e4ba41764c76b866df9ded1a18ca671a589cd64ee0ad52c5f66da08587
VectorStealer
57cff3a25d0e209ae16b6c411c95be97880fdf3075d2b33b32a20dda8d611d5f
VectorStealer
62d89b5997bfef1759d735155650027c0c6ffbc930fa5af742c4f481e884800b
VectorStealer
659d786131454bee09b1cf35abfbec971dd4d3bed16b34805332be4ddd33202b
VectorStealer
660be0a4c68d2de50374918bc1c701274f9f46846fb1f29d6789ddba868a45f8
VectorStealer
adb09eb6718421aff9cfd0dd2188ceab7c52e4c1f33ff3b3e56d37e8b09aadd1
VectorStealer
c25c1e9563571e21338fc504121c77287684849807dfb6acae1b3075805a5943
VectorStealer
d6ddfb183079fd5ea960c75022874f71bd25f9586c748ab9cec41e39e437e725
VectorStealer
d88be59f311dbbeb10b94d76c0750d9ac0f2fd05b92064063d496a7b2bc9bb4e
VectorStealer
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230316-1fwzcach75/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
a7f7367afa1e7bcdc175c8ef28575f165e940452c76d69c8a695e8dd1cb102c7
MD5 hash:
99892aaee83c1ba5fe993de739edc747
SHA1 hash:
e0ad94d0da2a7f3d17252547e26964f10ca18c28
Link:
https://www.unpac.me/results/8323a010-c3ba-425b-9d3a-7564dacceef1/
SH256 hash:
1126193683ba1cbfbdfd53ce493e78fc49d568854ddad8a9f23975fd55998b46
MD5 hash:
2cff9ef68570cc4b37f80a77af01a343
SHA1 hash:
ddec6ef37e20f4a4ce0889fa316d659b745585e2
Link:
https://www.unpac.me/results/8323a010-c3ba-425b-9d3a-7564dacceef1/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/8323a010-c3ba-425b-9d3a-7564dacceef1/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
ab7ad325cc84f65ee3f33d0409a1be0e39b543dc88024c3961095e3b644e94ed
MD5 hash:
2fa2888b65bed209148aa3e1b32efbb6
SHA1 hash:
60753b00e0e189cb518644ec71c2fb8cacb8b462
Link:
https://www.unpac.me/results/8323a010-c3ba-425b-9d3a-7564dacceef1/
SH256 hash:
e88adafb13493f8270ba662581c57af28c2d6a470128c82347ea8fa45a3a3c61
MD5 hash:
4891b63211469ae5593bf1def3557912
SHA1 hash:
06f5be651e48ab7842dcf5685cccee7841375b3a
Link:
https://www.unpac.me/results/8323a010-c3ba-425b-9d3a-7564dacceef1/
SH256 hash:
9659456fb12526439a9aa77f861032516aad72e8080f37fa6c8e91cd65c9a546
MD5 hash:
b2650b0e9b9a00c8912e731352a89c12
SHA1 hash:
2f91a571316167db4eefe314aa61f5ba697337f6
Link:
https://www.unpac.me/results/8323a010-c3ba-425b-9d3a-7564dacceef1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9659456fb125/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/9659456fb12526439a9aa77f861032516aad72e8080f37fa6c8e91cd65c9a546

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/374902/

Comments